<Kerberos Working Group> Larry Zhu
Internet Draft Microsoft
Updates: 1964 Karthik Jaganathan
Category: Standards Track Microsoft
draft-ietf-krb-wg-gssapi-cfx-00.txt August 16, 2003
Expires: February 16, 2004
Crypto Profile Based Support for the Inclusion of New Encryption andChecksum Algorithms in the Kerberos V5 GSSAPI Mechanism
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026 [1].
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts. Internet-Drafts are draft documents valid for a maximum of
six months and may be updated, replaced, or obsoleted by other
documents at any time. It is inappropriate to use Internet- Drafts
as reference material or to cite them other than as "work in
progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
1. Abstract
[KCRYPTO] introduced a generic framework for the inclusion of new
encryption and checksum algorithms to be used in the Kerberos V5
protocol. [AES-KRB5] describes a crypto profile (per [KCRYPTO]) for
AES. This document introduces a generic method for adding new
crypto-systems to the GSSAPI-KerberosV5 mechanism based on crypto
profiles as defined in [KCRYPTO]. It also describes the use of AES
encryption for GSSAPI as an example of this new method.
2. Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in
this document are to be interpreted as described in RFC-2119 [2].
3. Introduction
[GSSAPI-KRB5] describes the GSSAPI mechanism for Kerberos V5. It
defines the format of context initiation, per-message and context
deletion tokens. When adding new crypto system support, the
Zhu Standards Trace - February 16, 2003 1

Crypto Profile Support for Kerberos GSSAPI August 2003
approach taken in [GSSAPI-KRB5] is to add algorithm identifiers for
each new cryptosystem.
The approach taken in this document is to use the same encryption
and checksum algorithms specified by the crypto profile for the
session key or subkey that is created during context negotiation.
Message layouts of the per-message and context deletion tokens are
revised to remove algorithm indicators and add extra information to
support the generic crypto framework [KCRYPTO].
"Newer" encryption and checksum types MUST use the new token formats
defined in this document. Older encryption and checksum types SHALL
NOT use these new token formats. The term "newer" is more precisely
defined in [KRBCLAR].
Note that in this document, "AES" is used for brevity to refer
loosely to either aes128-cts-hmac-sha1-96 or aes256-cts-hmac-sha1-96
as defined in [AES-KRB5].
4. Quality of Protection and Algorithm Identifiers
The GSSAPI specification [GSSAPI] provides for QOP values that can
be used by the application to request a certain type of encryption
or signing. A zero QOP value is used to indicate the "default"
protection; applications which use the default QOP are not
guaranteed to be portable across implementations or even inter-
operate with different deployment configurations of the same
implementation. Using an algorithm that is different from the one
for which the key is defined may not be appropriate. Therefore, when
the new method in this document is used, the QOP value is ignored.
The encryption and checksum algorithms in per-message and context
deletion tokens are now implicitly defined by the algorithms
associated with the session and subkey. Algorithms identifiers are
therefore no longer needed and removed from the token headers.
5. Key Derivation
To limit the exposure of a given key, [KCRYPTO] adopted "one-way"
"entropy-preserving" derived keys, for different purposes or key
usages, from a base key or protocol key. This document defines four
key usage values below for signing and sealing messages:
Name value
-------------------------------------
KG-USAGE-ACCEPTOR-SIGN 22
KG-USAGE-ACCEPTOR-SEAL 23
KG-USAGE-INITIATOR-SIGN 24
KG-USAGE-INITIATOR-SEAL 25
When the sender is the context acceptor, KG-USAGE-ACCEPTOR-SIGN is
used as the usage number in the key derivation function for deriving
keys to be used in MIC and context deletion tokens, and KG-USAGE-
Zhu Standards Track - February 16, 2004 2

Crypto Profile Support for Kerberos GSSAPI August 2003
ACCEPTOR-SEAL is used for Wrap tokens; similarly when the sender is
the context initiator, KG-USAGE-INITIATOR-SIGN is used as the usage
number in the key derivation function for MIC and context deletion
tokens, KG-USAGE-INITIATOR-SEAL is used for Wrap Tokens. Even if
the Wrap token does not provide for confidentiality the same usage
values specified above are used.
6. Token Formats and Definitions
The new token formats defined in this document are designed to
accommodate the requirements of newer crypto systems. Certain
implementations of GSSAPI, such as SSPI, allow for "scatter-gather"
and in-place encryption, mostly by leveraging low level details of
crypto systems. The token layouts have been designed to satisfy the
above requirements without incurring significant performance
penalties or loosing generality.
The design along with the rationale behind it, is discussed in
detail in the following sections.
6.1. Sequence Number and Direction Indicators
The sequence number for any per-message or context deletion token is
a 64 bit integer (expressed in big endian order). One separate byte
is used as the directional indicator: the hex value FF if the sender
is the context acceptor, 00 otherwise. Both the sequence number and
the directional indicator are protected as specified in section 6.2.
6.2. Encryption and Checksum Operations
The encryption algorithms defined by the crypto profiles provide for
integrity protection. Therefore no separate checksum is needed.
In Wrap tokens that provide for confidentiality, the "header" (the
first 16 bytes of the Wrap token) is appended to the plaintext data
before encryption. Hence the resulting Wrap token is {"header" |
encrypt(plaintext-data | "header")}, where encrypt() is the
encryption operation defined in the crypto profile. In Wrap tokens
that do not provide for confidentiality, the checksum is calculated
over the plaintext data concatenated with the token header (the
first 16 bytes of the Wrap token). Hence the resulting Wrap token
is {"header" | plaintext-data | get_mic(plaintext-data | "header")},
where get_mic() is the checksum operation defined in the crypto
profile. The parameters for the key and the cipher-state in the
encrypt() and get_mic() operations have been omitted for brevity.
The resulting Wrap tokens bind the data to the token header,
including the sequence number, directional indicator, and the
rotation count.
[With AEAD, Wrap tokens with confidentiality do not need to encrypt
the header and the overhead can be reduced slightly]
Zhu Standards Track - February 16, 2004 3

Crypto Profile Support for Kerberos GSSAPI August 2003
For MIC tokens, the checksum is first calculated over the token
header (the first 16 bytes of the MIC token) and then the to-be-
signed plaintext data.
For context deletion tokens, the checksum is calculated over the
token header (the first 16 bytes of the context deletion token).
When AES is used, the checksum algorithm is HMAC_SHA1_96 and the
checksum size is 12 bytes. Data is pre-pended with a 16 byte
confounder before encryption, and no padding is needed.
6.3. RRC Field
A new field, called "RRC" (Right Rotation Count), is added to allow
the data to be encrypted in place. The resulting Wrap token in the
previous section, excluding the first 16 bytes of the token header,
is rotated to the right by "RRC" bytes. The net result is that
"RRC" bytes of trailing octets are moved toward the header.
Consider the following as an example of this rotation operation:
Assume that the RRC value is 3 and the token before the rotation is
{"header" | aa | bb | cc | dd | ee | ff | gg | hh}, the token after
rotation would be {"header" | ff | gg | hh | aa | bb | cc | dd | ee
}, where {aa | bb | cc |...| hh} is used to indicate the byte
sequence.
The RRC field is expressed as a two octet integer in big endian
order.
The rotation count value is chosen by the sender based on
implementation details, and the receiver MUST be able to interpret
all possible rotation count values.
6.4. EC Field
The decryption operation in the crypto profile may not always return
the exact length of the plaintext data. An "EC"(Extra Count) field
is added to the Wrap() token header to indicate the number of bytes
that have been added to the end of the plaintext data before
encryption. The "EC" field is a two byte integer expressed in big
endian order and it should be 00 00 if confidentiality is not
provided for by the Wrap tokens.
6.5. Seal Field
The Seal field in Wrap tokens is used to indicate whether
confidentiality is provided for. If confidentiality is provided for
by the Wrap token, this field contains the hex value FF, otherwise it
contains the hex value 00.
6.6. Message Layout for Per-message and Context Deletion Tokens
The new message layouts are as follows.
MIC Token:
Zhu Standards Track - February 16, 2004 4

Crypto Profile Support for Kerberos GSSAPI August 2003
Byte no Name Description
0..1 TOK_ID Identification field.
Tokens emitted by GSS_GetMIC()
contain the hex value 04 04 in
this field.
2..2 Direction Hex value FF if the sender is the
context acceptor, 00 otherwise.
3..7 Filler Contains 5 bytes of hex value FF.
8..15 SND_SEQ Sequence number field in
cleartext, in big endian order.
16.. SGN_CKSUM Checksum of byte 0..15 and the
"to-be-signed" data, where the
checksum algorithm is defined by
the crypto profile for the
session key or subkey.
The Filler field is included in the checksum calculation for
simplicity. This is common to both MIC and context deletion token
checksum calculations.
Wrap Token:
Byte no Name Description
0..1 TOK_ID Identification field.
Tokens emitted by GSS_Wrap()
contain the hex value 05 04
in this field.
2..2 Direction Hex value FF if the sender is the
context acceptor, 00 otherwise.
3..3 Seal Confidentiality indicator: hex
value FF if confidentiality is
provided for, 00 otherwise.
4..5 EC Contains the "extra count" field,
in big endian order as described in
section 6.4.
6..7 RRC Contains the "right rotation
count" in big endian order, as
described in section 6.3.
8..15 SND_SEQ Sequence number field in
cleartext, in big endian order.
16.. Data Encrypted or plaintext data, as
described in section 6.2, where
the encryption or checksum
algorithm is defined by the crypto
profile for the session key or
subkey.
Context Deletion Token:
Byte no Name Description
Zhu Standards Track - February 16, 2004 5

Crypto Profile Support for Kerberos GSSAPI August 2003
0..1 TOK_ID Identification field.
Tokens emitted by
GSS_Delete_sec_context() contain
the hex value 04 05 in this
field.
2..2 Direction Hex value FF if the sender is the
context acceptor, 00 otherwise.
3..7 Filler Contains 5 bytes of hex value FF.
8..15 SND_SEQ Sequence number field in
cleartext, in big endian order.
16.. SGN_CKSUM Checksum of byte 0..15, where the
checksum algorithm is defined by
the crypto profile for the
session key or subkey.
7. Backwards compatibility considerations
The new token formats defined in this document will only be
recognized by new implementations. A MIC or wrap token generated
with the algorithms defined in this document will not be recognized
by an older implementation that only recognizes the algorithms
defined in [GSSAPI-KRB5]. To address this, implementations can
always use the explicit sign or seal algorithm in [GSSAPI-KRB5] when
the key type corresponds to those algorithms. An alternative
approach might be to retry sending the message with the sign or seal
algorithm explicitly defined as in [GSSAPI-KRB5]. However this would
require the use of a mechanism such as [SPNEGO] to securely
negotiate the algorithm or the use out of band mechanism to choose
appropriate algorithms. For this reason, it is RECOMMENDED that the
use of the new token formats defined in this document be confined
only for "newer encryption and checksum" described by a crypto
profile.
8. Security Considerations
It is possible that the KDC returns a session-key type that is not
supported by the GSSAPI implementation (either on the client and the
server). In this case the implementation MUST not try to use the key
with a supported cryptosystem. This will ensure that no security
weaknesses arise due to the use of an inappropriate key with an
encryption algorithm.
In addition the security problem described in [3DES] arising from
the use of a service implementation with a GSSAPI mechanism
supporting only DES and a Kerberos mechanism supporting both DES and
Triple DES is actually a more generic one. It arises whenever the
GSSAPI implementation does not support a stronger cryptosystem
supported by the Kerberos mechanism. KDC administrators desiring to
limit the session key types to support interoperability with such
GSSAPI implementations should carefully weigh the reduction in
protection offered by such mechanisms against the benefits of
interoperability.
Zhu Standards Track - February 16, 2004 6

Crypto Profile Support for Kerberos GSSAPI August 2003
It is recommended by some cryptographers that the output of a
checksum used with an encryption algorithm should have the same
strength as the key in use. In this regard standardization work for
SHA-256 and SHA-512 to be used with AES is currently in progress.
This document retains the use of HMAC_SHA1_96 as specified in the
[AES-KRB5] draft. The use of SHA-256 or SHA-512 with AES will
require new crypto profiles and there should not be any further
changes needed to this document.
9. Acknowledgments
The authors wish to acknowledge the contributions from the following
individuals:
Ken Raeburn and Nicolas Willams corrected many of our errors in the
use of generic profiles and were instrumental in the creation of this
draft. Sam Hartman and Ken Raeburn suggested the "floating trailer"
idea.
Sam Hartman and Nicolas Williams recommended the replacing our
earlier key derivation function for directional keys with different
key usage numbers for each direction as well as retaining the
directional bit for maximum compatibility.
Paul Leach provided numerous suggestions and comments. Scott Field,
Richard Ward, Dan Simon also provided valuable inputs on this draft.
10. References
[AES] National Institute of Standards and Technology, U.S.
Department of Commerce, "Advanced Encryption Standard", Federal
Information Processing Standards Publication 197, Washington, DC,
November 2001.
[AES-KRB5] Raeburn, K., "AES Encryption for Kerberos 5", draft-raeburn-krb-rijndael-krb-05.txt, June, 2003. Work in progress.
[DES3] Raeburn, K., "Triple-DES Support for the Kerberos 5 GSSAPI
Mechanism", draft-raeburn-gssapi-krb5-3des-XX.txt in the MIT
distribution, June 2000.
[GSSAPI] Linn, J., "Generic Security Service Application Program
Interface Version 2, Update 1", RFC 2743, January, 2000.
[GSSAPI-KRB5] Linn, J., "The Kerberos Version 5 GSS-API Mechanism",
RFC 1964, June, 1996.
[KCRYPTO] Raeburn, K., "Encryption and Checksum Specifications for
Kerberos 5", draft-ietf-krb-wg-crypto-05.txt, June, 2003. Work in
progress.
Zhu Standards Track - February 16, 2004 7